MBA CEO Daniel Forte said his association hopes to make this a much broader issue than one retailer and one very large data breach.
?If we?re successful against TJX, the nation?s major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required,? Forte said.
The Massachusetts banking group is being joined in the lawsuit by the Connecticut Bankers Association and the Maine Association of Community Banks. Those associations, according to a group statement, "represent nearly 300 banks." A handful of individual banks have also joined as co-plaintiffs. The statement also says that an unspecified number of California banks may also join.
In this kind of a class-action lawsuit, it's not unusual for the plaintiffs to not say how much money they're seeking because it will be greatly influenced by what is learned during the legal discovery process. But Forte did set a floor of what his association is seeking: "?Suffice to say,? Forte said, ?we will be seeking to recover damages in the tens of millions of dollars.?
This lawsuit is different than most of the consumer class-action lawsuits against TJX because the damages incurred by the member banks is more concrete, if not as dramatic. For consumers, credit card zero-liability agreements are generally minimizing or eliminating financial losses, leaving the more nebulous time and aggravation dealing with possible identify theft.
With the banks, though, the financial losses are much more documentable. "Banks all across the nation re-issued debit cards as a result of the TJX data breach. Preliminary estimates of the costs vary from institution to institution, up to $25 dollars per card," the MBA statement said. "This alone would run into many millions of dollars for banks throughout the country. Moreover, when fraud occurs, banks generally cover the entire fraud, replacing money in customer accounts to protect their customers."
Lindsey Pinkham, senior vice president of the Connecticut Bankers Association, pointed out that this retail data breach is going in a very unacceptable direction. "Retail data breaches are getting larger and more frequent and we cannot continue to absorb the costs," Pinkham said.
Forte also argued that Massachusetts laws will be friendlier to a data breach claim than some other jurisdictions where these lawsuits have been filed.
?There are significant differences between this case and prior data breach lawsuits such as the BJ Wholesale Club cases in Pennsylvania,? he said. ?We think we have an advantage trying the case here in Massachusetts. When the BJ?s cases were argued in Pennsylvania, the plaintiffs did not include an unfair trade practices statutory claim, and Massachusetts law allows these claims. In fact, an unfair trade practice claim was asserted by the FTC, which imposed substantial conditions and requirements on their operations. In addition, we will seek to prove that TJX is responsible for negligent misrepresentation. Among other things, the company represented that it was safeguarding and disposing of cardholder data. These representations were not true and showed a lack of reasonable care and were both unfair trade practices and negligent misrepresentation under Massachusetts law. In one of the ongoing BJ?s cases, unlike in Pennsylvania, a motion to dismiss brought by BJ?s was denied in Massachusetts and the case is still proceeding here."